CN105512555A - Homologous family dividing and mutation method and system based on file string cluster - Google Patents
Homologous family dividing and mutation method and system based on file string cluster Download PDFInfo
- Publication number
- CN105512555A CN105512555A CN201410762181.1A CN201410762181A CN105512555A CN 105512555 A CN105512555 A CN 105512555A CN 201410762181 A CN201410762181 A CN 201410762181A CN 105512555 A CN105512555 A CN 105512555A
- Authority
- CN
- China
- Prior art keywords
- family
- vector
- file
- file destination
- mutation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000035772 mutation Effects 0.000 title claims abstract description 77
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000004458 analytical method Methods 0.000 claims description 15
- 230000003068 static effect Effects 0.000 claims description 9
- 238000000605 extraction Methods 0.000 claims description 6
- 241000700605 Viruses Species 0.000 description 7
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000004224 protection Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a homologous family dividing and mutation method and system based on file string clusters. A dump file and an API call recording file are acquired and a string of the above files and API as well as parameter information are extracted to form a vector file; a simhash value of a calculator is compared with a center distance of a known family and a family mutation in a family feature vector base, and if the comparison value is smaller than a preset value, the target file belongs to the corresponding family or the family mutation; and if the comparison value is larger than the preset value, the target file belongs to a newly-added family or family mutation. According to the homologous family dividing and mutation method and system based on the file string clusters, large number of unknown target files can be classified in light of families and mutation can be further divided; and a family vector feature base can be employed for discrimination of sample families or mutation.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of secondary based on file character string cluster divides homology family method and system.
Background technology
Along with the fast development of network and computing technique, the kind of malicious code, velocity of propagation, infection quantity and coverage are all strengthening gradually, propagation, particularly people that the simultaneously exploration of internet also accelerates malicious code directly can obtain malicious code source code or by internet exchange code from website.Therefore, along with the Open Source Code of increasing malicious code software and maker publish on network, thus at present on network popular malicious code and mutation level poor, of a great variety, feature variation.
So, how from these numerous malicious code samples, obtain its general character and difference, thus divide its homology family and mutation Evolvement thereof further, and form detected rule to resist malicious code, guarantee network security.
The generating mode of current Virus Sample is mainly divided into maker to generate and source code compiling generates.Maker can be modified setting to configuration informations such as the domain name of malicious code, IP, filename, Service name, Starting mode, versions, and what generate like this is exactly a new Virus Sample, but is in fact belong to a family, even same varietal type.And interceptor partial function is come to the amendment of source code or increases other functions, then compiling generates new Virus Sample, is likely to generate identical family or mutation, also may be different families.
Summary of the invention
Based on above-mentioned situation, the present invention proposes a kind of based on the division homology family of file character string cluster and the method and system of mutation, the kinship of sample and common feature can be utilized to carry out family's classification, and find new virus family, utilize the Evolvement with family's mutation sample and difference characteristic, carry out the type that increment acutely divides mutation.
Based on the division homology family of file character string cluster and a method for mutation, comprising:
Performance analysis and static analysis are carried out to file destination, obtains the dump file in file destination and API Calls log file;
Extract the designated character string in described dump file, form character string vector file;
Calculate the simhash value of vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
Extract the API in the API Calls log file of described file destination and parameter information thereof, form API vector file;
Calculate the simhash value of API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then described file destination belongs to family's mutation that distance is less than preset value, and described file destination and vector information thereof is added in family's proper vector storehouse; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse.
In described method, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: the central value by simhash value vectorial in the character string vector file of described file destination being described file destination.
In described method, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: be the central value of described file destination family mutation by the simhash value of API vector in the API vector file of described file destination.
Based on the division homology family of file character string cluster and a system for mutation, comprising:
Static and dynamic analysis module, for carrying out performance analysis and static analysis to file destination, obtains the dump file in file destination and API Calls log file;
Character string vector extraction module, for extracting the designated character string in described dump file, forms character string vector file;
Character string vector comparison module, for calculating the simhash value of vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
API vector extraction module, for extracting API in the API Calls log file of described file destination and parameter information thereof, forms API vector file;
API vector comparison module, for calculating the simhash value of API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then described file destination belongs to family's mutation that distance is less than preset value, and described file destination and vector information thereof is added in family's proper vector storehouse; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse.
In described system, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: the central value by simhash value vectorial in the character string vector file of described file destination being described file destination.
In described system, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: be the central value of described file destination family mutation by the simhash value of API vector in the API vector file of described file destination.
Advantage of the present invention is, the kinship and the common feature that make use of family's sample carry out family's classification, utilizes Evolvement and the difference characteristic of same family mutation sample, carries out increment central point clustering varietal type.
The present invention proposes a kind of based on the division homology family of file character string cluster and the method and system of mutation, the present invention is by obtaining dump file and the API Calls log file of file destination, and extract its character string and API and parameter information, form vector file, counter simhash value, compared with the centre distance of the known family in family's proper vector storehouse and family's mutation, if be less than preset value, then described file destination belongs to corresponding family or family's mutation, otherwise is newly-increased family or family's mutation.By the present invention, can carry out family's classification, and can divide its mutation further large batch of unknown object file, simultaneously its family's vector characteristics storehouse formed can be used for differentiating the family of sample and mutation thereof.
Accompanying drawing explanation
In order to be illustrated more clearly in the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, the accompanying drawing that the following describes is only some embodiments recorded in the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 the present invention is based on the division homology family of file character string cluster and the embodiment process flow diagram of mutation method;
Fig. 2 the present invention is based on the division homology family of file character string cluster and the embodiment schematic diagram of mutation system.
Embodiment
In order to make those skilled in the art person understand technical scheme in the embodiment of the present invention better, and enable above-mentioned purpose of the present invention, feature and advantage become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail.
Based on above-mentioned situation, the present invention proposes the method and system that a kind of secondary based on file character string cluster divides homology family and mutation, the kinship of sample and common feature can be utilized to carry out family's classification, and find new virus family, utilize the Evolvement with family's mutation sample and difference characteristic, carry out the type that increment acutely divides mutation.
Based on the division homology family of file character string cluster and a method for mutation, as shown in Figure 1, comprising:
S101: carry out performance analysis and static analysis to file destination, obtains the dump file in file destination and API Calls log file; Memory information file when dump file is Virus Sample operation, Virus Sample has carried out adding the encipherment protections such as shell mostly, can run sample by sandbox technology, obtains dump file;
S102: extract the designated character string in described dump file, forms character string vector file;
S103: the simhash value calculating vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then perform S104; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
If be less than 8 with the distance of family central point, then target sample is categorized into this family; If be all greater than 8 with proper vector Ku Zhongge family of family central point distance, be then new family, the simhash value of the character string vector of target sample is new family central point;
S104: described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step;
S105: extract the API in the API Calls log file of described file destination and parameter information thereof, forms API vector file;
S106: the simhash value calculating API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then perform S107; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse; The simhash value of the API vector of file destination is the central value of new family mutation;
S107: described file destination belongs to family's mutation that distance is less than preset value.
In described method, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: the central value by simhash value vectorial in the character string vector file of described file destination being described file destination.
In described method, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: be the central value of described file destination family mutation by the simhash value of API vector in the API vector file of described file destination.
Based on the division homology family of file character string cluster and a system for mutation, as shown in Figure 2, comprising:
Static and dynamic analysis module 201, for carrying out performance analysis and static analysis to file destination, obtains the dump file in file destination and API Calls log file;
Character string vector extraction module 202, for extracting the designated character string in described dump file, forms character string vector file;
Character string vector comparison module 203, for calculating the simhash value of vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
API vector extraction module 204, for extracting API in the API Calls log file of described file destination and parameter information thereof, forms API vector file;
API vector comparison module 205, for calculating the simhash value of API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then described file destination belongs to family's mutation that distance is less than preset value, and described file destination and vector information thereof is added in family's proper vector storehouse; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse.
In described system, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: the central value by simhash value vectorial in the character string vector file of described file destination being described file destination.
In described system, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: be the central value of described file destination family mutation by the simhash value of API vector in the API vector file of described file destination.
Advantage of the present invention is, the kinship and the common feature that make use of family's sample carry out family's classification, utilizes Evolvement and the difference characteristic of same family mutation sample, carries out increment central point clustering varietal type.
The present invention proposes a kind of based on the division homology family of file character string cluster and the method and system of mutation, the present invention is by obtaining dump file and the API Calls log file of file destination, and extract its character string and API and parameter information, form vector file, counter simhash value, compared with the centre distance of the known family in family's proper vector storehouse and family's mutation, if be less than preset value, then described file destination belongs to corresponding family or family's mutation, otherwise is newly-increased family or family's mutation.By the present invention, can carry out family's classification, and can divide its mutation further large batch of unknown object file, simultaneously its family's vector characteristics storehouse formed can be used for differentiating the family of sample and mutation thereof.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realizes.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually see, what each embodiment stressed is the difference with other embodiments.Especially, for system embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
The present invention can be used in numerous general or special purpose computing system environment or configuration.Such as: personal computer, server computer, handheld device or portable set, laptop device, multicomputer system, system, set top box, programmable consumer-elcetronics devices, network PC, small-size computer, mainframe computer, the distributed computing environment comprising above any system or equipment etc. based on microprocessor.
The present invention can describe in the general context of computer executable instructions, such as program module.Usually, program module comprises the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.Also can put into practice the present invention in a distributed computing environment, in these distributed computing environment, be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium comprising memory device.
Although depict the present invention by embodiment, those of ordinary skill in the art know, the present invention has many distortion and change and do not depart from spirit of the present invention, and the claim appended by wishing comprises these distortion and change and do not depart from spirit of the present invention.
Claims (6)
1., based on the division homology family of file character string cluster and a method for mutation, it is characterized in that, comprising:
Performance analysis and static analysis are carried out to file destination, obtains the dump file in file destination and API Calls log file;
Extract the designated character string in described dump file, form character string vector file;
Calculate the simhash value of vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
Extract the API in the API Calls log file of described file destination and parameter information thereof, form API vector file;
Calculate the simhash value of API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then described file destination belongs to the corresponding family mutation that distance is less than preset value; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse.
2. the method for claim 1, it is characterized in that, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: using the central value of the simhash value of vector in the character string vector file of described file destination as described file destination.
3. the method for claim 1, it is characterized in that, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: using the central value of the simhash value of API vector in the API vector file of described file destination as the mutation of described file destination family.
4., based on the division homology family of file character string cluster and a system for mutation, it is characterized in that, comprising:
Static and dynamic analysis module, for carrying out performance analysis and static analysis to file destination, obtains the dump file in file destination and API Calls log file;
Character string vector extraction module, for extracting the designated character string in described dump file, forms character string vector file;
Character string vector comparison module, for calculating the simhash value of vector in described character string vector file, and the distance of more described simhash value and proper vector Ku Zhongge known malicious code family of family central value, if distance is less than preset value, then described file destination belongs to the corresponding malicious code family that distance is less than preset value, and carries out next step; Otherwise described file destination is new malicious code family, and described file destination and vector information thereof are added in family's proper vector storehouse as new malicious code family;
API vector extraction module, for extracting API in the API Calls log file of described file destination and parameter information thereof, forms API vector file;
API vector comparison module, for calculating the simhash value of API vector in described API vector file, and the distance of each known family mutation central value in more described simhash value malicious code family corresponding to belonging to file destination, if distance is less than preset value, then described file destination belongs to the corresponding family mutation that distance is less than preset value; Otherwise described file destination is the new family mutation of current malicious code family, and using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse.
5. system as claimed in claim 4, it is characterized in that, described adds to described file destination and vector information thereof in family's proper vector storehouse as new malicious code family, also comprises: the central value by simhash value vectorial in the character string vector file of described file destination being described file destination.
6. system as claimed in claim 4, it is characterized in that, described using described file destination and vector information thereof as new family mutation, add in family's proper vector storehouse, also comprise: be the central value of described file destination family mutation by the simhash value of API vector in the API vector file of described file destination.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410762181.1A CN105512555B (en) | 2014-12-12 | 2014-12-12 | Based on the homologous family of division of file character string cluster and the method and system of mutation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410762181.1A CN105512555B (en) | 2014-12-12 | 2014-12-12 | Based on the homologous family of division of file character string cluster and the method and system of mutation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105512555A true CN105512555A (en) | 2016-04-20 |
| CN105512555B CN105512555B (en) | 2018-05-25 |
Family
ID=55720528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410762181.1A Active CN105512555B (en) | 2014-12-12 | 2014-12-12 | Based on the homologous family of division of file character string cluster and the method and system of mutation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105512555B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107092829A (en) * | 2017-04-21 | 2017-08-25 | 中国人民解放军国防科学技术大学 | A kind of malicious code detecting method based on images match |
| CN108256325A (en) * | 2016-12-29 | 2018-07-06 | 中移(苏州)软件技术有限公司 | A kind of method and apparatus of the detection of malicious code mutation |
| CN108694319A (en) * | 2017-04-06 | 2018-10-23 | 武汉安天信息技术有限责任公司 | A kind of malicious code family determination method and device |
| CN109145605A (en) * | 2018-08-23 | 2019-01-04 | 北京理工大学 | A kind of Android malware family clustering method based on SinglePass algorithm |
| CN110210217A (en) * | 2018-04-26 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of file, equipment and computer readable storage medium |
| CN111666404A (en) * | 2019-03-05 | 2020-09-15 | 腾讯科技(深圳)有限公司 | File clustering method, device and equipment |
| CN113268987A (en) * | 2021-05-26 | 2021-08-17 | 北京百度网讯科技有限公司 | Entity name identification method and device, electronic equipment and storage medium |
| CN113836534A (en) * | 2021-09-28 | 2021-12-24 | 深信服科技股份有限公司 | Virus family identification method, system, equipment and computer storage medium |
| CN113987502A (en) * | 2021-12-29 | 2022-01-28 | 阿里云计算有限公司 | Object program detection method, device and storage medium |
| CN114021138A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Construction method of homologous analysis knowledge base, homologous analysis method and device |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| US20130097704A1 (en) * | 2011-10-13 | 2013-04-18 | Bitdefender IPR Management Ltd. | Handling Noise in Training Data for Malware Detection |
| CN103679019A (en) * | 2012-09-10 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Malicious file identifying method and device |
| CN103902905A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Malicious code generator identification method and system based on software structure cluster |
| CN104036187A (en) * | 2013-03-04 | 2014-09-10 | 阿里巴巴集团控股有限公司 | Method and system for determining computer virus types |
-
2014
- 2014-12-12 CN CN201410762181.1A patent/CN105512555B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101944167A (en) * | 2010-09-29 | 2011-01-12 | 中国科学院计算技术研究所 | Method and system for identifying malicious program |
| US20130097704A1 (en) * | 2011-10-13 | 2013-04-18 | Bitdefender IPR Management Ltd. | Handling Noise in Training Data for Malware Detection |
| CN103679019A (en) * | 2012-09-10 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Malicious file identifying method and device |
| CN104036187A (en) * | 2013-03-04 | 2014-09-10 | 阿里巴巴集团控股有限公司 | Method and system for determining computer virus types |
| CN103902905A (en) * | 2013-12-17 | 2014-07-02 | 哈尔滨安天科技股份有限公司 | Malicious code generator identification method and system based on software structure cluster |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108256325A (en) * | 2016-12-29 | 2018-07-06 | 中移(苏州)软件技术有限公司 | A kind of method and apparatus of the detection of malicious code mutation |
| CN108694319A (en) * | 2017-04-06 | 2018-10-23 | 武汉安天信息技术有限责任公司 | A kind of malicious code family determination method and device |
| CN108694319B (en) * | 2017-04-06 | 2021-04-16 | 武汉安天信息技术有限责任公司 | Malicious code family judgment method and device |
| CN107092829A (en) * | 2017-04-21 | 2017-08-25 | 中国人民解放军国防科学技术大学 | A kind of malicious code detecting method based on images match |
| CN107092829B (en) * | 2017-04-21 | 2020-03-17 | 中国人民解放军国防科学技术大学 | Malicious code detection method based on image matching |
| CN110210217A (en) * | 2018-04-26 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of recognition methods of file, equipment and computer readable storage medium |
| CN109145605A (en) * | 2018-08-23 | 2019-01-04 | 北京理工大学 | A kind of Android malware family clustering method based on SinglePass algorithm |
| CN111666404A (en) * | 2019-03-05 | 2020-09-15 | 腾讯科技(深圳)有限公司 | File clustering method, device and equipment |
| CN113268987A (en) * | 2021-05-26 | 2021-08-17 | 北京百度网讯科技有限公司 | Entity name identification method and device, electronic equipment and storage medium |
| CN113268987B (en) * | 2021-05-26 | 2023-08-11 | 北京百度网讯科技有限公司 | Entity name recognition method and device, electronic equipment and storage medium |
| CN113836534A (en) * | 2021-09-28 | 2021-12-24 | 深信服科技股份有限公司 | Virus family identification method, system, equipment and computer storage medium |
| CN113836534B (en) * | 2021-09-28 | 2024-04-12 | 深信服科技股份有限公司 | Virus family identification method, system, equipment and computer storage medium |
| CN113987502A (en) * | 2021-12-29 | 2022-01-28 | 阿里云计算有限公司 | Object program detection method, device and storage medium |
| CN114021138A (en) * | 2022-01-05 | 2022-02-08 | 北京微步在线科技有限公司 | Construction method of homologous analysis knowledge base, homologous analysis method and device |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN114662111B (en) * | 2022-05-18 | 2022-08-09 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105512555B (en) | 2018-05-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105512555A (en) | Homologous family dividing and mutation method and system based on file string cluster | |
| Fan et al. | Dapasa: detecting android piggybacked apps through sensitive subgraph analysis | |
| Arshad et al. | SAMADroid: a novel 3-level hybrid malware detection model for android operating system | |
| AU2022204197B2 (en) | Security weakness and infiltration detection and repair in obfuscated website content | |
| Han et al. | Malware analysis using visualized image matrices | |
| US10614243B2 (en) | Privacy detection of a mobile application program | |
| US10303874B2 (en) | Malicious code detection method based on community structure analysis | |
| CN105205397A (en) | Rogue program sample classification method and device | |
| US10454967B1 (en) | Clustering computer security attacks by threat actor based on attack features | |
| US20170109541A1 (en) | Identifying and tracking sensitive data | |
| Bhattacharya et al. | DMDAM: data mining based detection of android malware | |
| KR20200039912A (en) | System and method for automatically analysing android malware by artificial intelligence | |
| US10664267B2 (en) | Automatically detecting feature mismatches between mobile application versions on different platforms | |
| Nguyen et al. | Detecting repackaged android applications using perceptual hashing | |
| CN115174250B (en) | Network asset security assessment method and device, electronic equipment and storage medium | |
| CN112148305A (en) | Application detection method and device, computer equipment and readable storage medium | |
| Kumar et al. | Machine learning based malware detection in cloud environment using clustering approach | |
| Liu et al. | Using g features to improve the efficiency of function call graph based android malware detection | |
| US9734229B1 (en) | Systems and methods for mining data in a data warehouse | |
| Ndagi et al. | Machine learning classification algorithms for adware in android devices: a comparative evaluation and analysis | |
| US9646157B1 (en) | Systems and methods for identifying repackaged files | |
| CN111027065B (en) | Leucavirus identification method and device, electronic equipment and storage medium | |
| US20190236269A1 (en) | Detecting third party software elements | |
| Zhang et al. | Automatic detection of Android malware via hybrid graph neural network | |
| KR20180097824A (en) | Method, apparatus, and system for automatically generating rule for detecting virus code, and computer readable recording medium for reciring the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 150010 Heilongjiang science and technology innovation city, Harbin new and high tech Industrial Development Zone, No. 7 building, innovation and entrepreneurship Plaza, 838 Patentee after: Harbin antiy Technology Group Limited by Share Ltd Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162 Patentee before: Harbin Antiy Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Homologous family dividing and mutation method and system based on file string cluster Effective date of registration: 20190718 Granted publication date: 20180525 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Harbin antiy Technology Group Limited by Share Ltd Registration number: 2019230000007 |
|
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 150010 Heilongjiang science and technology innovation city, Harbin new and high tech Industrial Development Zone, No. 7 building, innovation and entrepreneurship Plaza, 838 Patentee after: Antan Technology Group Co.,Ltd. Address before: 150010 Heilongjiang science and technology innovation city, Harbin new and high tech Industrial Development Zone, No. 7 building, innovation and entrepreneurship Plaza, 838 Patentee before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20211119 Granted publication date: 20180525 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: Harbin Antian Science and Technology Group Co.,Ltd. Registration number: 2019230000007 |